South Korea's cybersecurity certification system is under threat following Coupang's unprecedented breach affecting 33.7 million users

Major Data Breach at Coupang Impacts Nearly All Users

Coupang, the top e-commerce company in South Korea, has experienced a significant data breach that compromised the personal information of 33.7 million users—almost its entire customer base. This event is now considered one of the most severe privacy breaches in the nation's history.

Investigations suggest that the breach began around June 24 and remained undetected for approximately five months. During this period, sensitive data such as customer names, email addresses, phone numbers, delivery locations, and partial order records were exposed. Coupang has stated that no payment information, credit card details, or login credentials were accessed. Nevertheless, the magnitude of the incident has sparked serious concerns about cybersecurity standards and regulatory effectiveness in South Korea’s digital marketplace.

Suspect Identified in International Data Theft

Authorities believe the breach was carried out through unauthorized access from overseas servers. Police have identified a former Chinese employee of Coupang, who has since left both the company and South Korea, as a primary suspect. This case stands out from previous regional data leaks, which were usually the result of external cyberattacks. Coupang’s CEO, Park Dae-joon, has issued a public apology, admitting to shortcomings in internal security and pledging full cooperation with the ongoing investigation.

Government Response and Potential Penalties

In response to the breach, government agencies have launched an urgent inquiry to determine if Coupang failed to comply with South Korea’s strict personal data protection regulations. The Ministry of Science and ICT, along with the Personal Information Protection Commission, is closely examining the company’s practices. This incident surpasses the scale of SK Telecom’s April 2025 data leak, which affected 23.2 million users and resulted in a record fine of 134.8 billion won (about $92 million). Experts predict that Coupang could face even harsher penalties due to the larger number of affected accounts and its history of repeated breaches since 2020.

Ongoing Criticism Over Security Practices

Despite holding the ISMS-P certification—a government-backed security standard—since 2021, Coupang has suffered four separate data breaches and incurred fines totaling 1.5 billion won (approximately $1.02 million) over the past five years. This latest incident has intensified scrutiny of national cybersecurity certifications, with critics arguing that oversight must adapt to counter increasingly sophisticated internal threats.

Wider Implications for South Korea’s Digital Security

The breach highlights growing weaknesses in South Korea’s digital infrastructure. The Korea Internet & Security Agency has issued warnings to affected users about the risks of phishing and identity theft. Coupang has advised customers to stay alert for suspicious messages and to monitor their accounts for any unauthorized activity. The incident has also renewed calls for stronger enforcement of data protection laws, with lawmakers demanding greater corporate accountability.

As investigations proceed, the impact of the breach extends beyond Coupang, underscoring the broader challenges of protecting user data in an increasingly digital society. For South Korea—a global leader in technology and online commerce—this event is a crucial test of its ability to maintain both innovation and robust security measures.